Ex-Employee Fingered in Texas Power Company Hack

The FBI is investigating a computer intrusion at a large Texas power company that crippled the firm’s energy forecast system for a day in March, costing it over $26,000.

Early Thursday morning FBI agents raided the home of a former employee of Dallas-based Energy Future Holdings — the corporate parent of three large Texas electric companies, including Luminent, which has over 18,300 megawatts of generation in Texas, and operates the Comanche Peak nuclear power plant.

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records. But the company failed to immediately shut off his VPN access. That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by Dallas FBI agent Robert Smith.

The Comanche Peak nuclear power plant in Texas.

Company logs showed that the VPN connection originated at Shin’s home IP address, Smith writes.

While logged into the VPN, the intruder sent an e-mail to the engineering group operating the Comanche Peak nuclear reactor. The message asked questions about the safety of the reactor, in particular wondering what would happen if the load were to be “increased to 99.7 percent of capacity.” While at EFH, Smith notes, “Shin was responsible for programming the models which controlled the management of EFH power generation facilities, including Comanche Peak.”

No charges have apparently been filed, but the FBI is treating the case as a suspected violation of federal computer crime laws, including a rarely-used statute prohibiting breaking into a computer and creating “a threat to public health or safety.”

But the damage noted in the affidavit appears to be purely financial. One of the files that was tampered with, “Hourly Capacity Supplied — 2009 upload.xls,” is described as an “input file to determine the power generation required by the RFH system components.” The net result of the tampering was that “the EFH management system was rendered inoperable, resulting in EFH being unable to accurately forecast the parameters necessary to operate the business on March 4, 2009.”

That kind of sabotage would harm the company’s efforts to sell its electricity in Texas’ power market for that day, but it wouldn’t threaten plant safety, or cause an outage, says control system cyber security expert Joe Weiss. “The people in Texas aren’t going to see their lights flicker as a result of this,” says Weiss. “This is an economic issue.”

When he was terminated, Shin allegedly promised to return his company-issue laptop the next day. But he failed to deliver until a corporate security agent showed up at his front porch on March 5 to retrieve the computer.

The company reported the sabotage to the FBI on March 6, estimating over $26,000 in losses. EFH did not return a phone call Friday. Threat Level couldn’t locate a phone number for Shin, and he did not respond to an e-mail query — possibly because the FBI seized all his computer gear, including over two dozen PCs and laptops, various thumb drives, DVDs, CDs, an iPod and a Wii.

Cyber security professionals and government agencies have long warned that intruders could tamper with the computerized control systems that operate portions of the North American electric grid, though so far no confirmed cases of such sabotage have surfaced. In March, though, a Los Angeles federal grand jury indicted a disgruntled tech employee on allegations of temporarily disabling a computer system detecting pipeline leaks for three oil derricks off the Southern California coast. In 2003, the Slammer worm penetrated the operations network at Ohio’s Davis-Besse nuclear power plant, disabling a safety monitoring system for nearly five hours.